2142 hack event(s)
Description of the event: A newly deployed vault contract of Thetanuts Finance was exploited via a First Depositor Attack. The attacker took advantage of the vault’s share calculation logic when totalAssets and totalSupply were both 0 at initialization: they deposited a minimal amount (e.g., 1 wei) to mint 1 share, then directly transferred a large amount of assets (e.g., ETH) to the contract, manipulating the asset-to-share ratio. When subsequent users deposited, they received almost no shares, allowing the attacker to redeem their single share for nearly all the vault’s assets. The loss was approximately $50,000. The protocol focuses on on-chain options and yield vaults; this incident affected a specific new vault.
Amount of loss: $ 50,000 Attack method: Smart Contract Vulnerability
Description of the event: Juicebox V3 (via its REVLoans borrowing extension) was exploited through a borrowFrom Spoof Attack. The vulnerability stemmed from insufficient validation in the borrowFrom function, particularly the caller-supplied "source" parameter (a REVLoanSource struct with .terminal and .token). This allowed forging an accounting context; when currency matched the destination, the protocol skipped the oracle and used attacker-controlled decimals/balances, enabling borrowing at an inflated share price. The attack used two transactions (one to seed fake accounting, one to drain against a legitimate terminal), draining approximately 21.77 ETH (worth ~$52,000).
Amount of loss: $ 52,000 Attack method: Smart Contract Vulnerability
Description of the event: Vercel CEO Guillermo Rauch stated on X that the company is currently conducting a full investigation into a security incident. The incident originated from a compromise of Context.ai, an AI platform used by a Vercel employee. This breach led to the attacker gaining access to the employee’s Google Workspace account associated with Vercel. From there, the attacker carried out a series of actions that further escalated access within the environment. Vercel clarified that all customer environment variables are fully encrypted at rest. However, the platform allows some variables to be explicitly marked as “non-sensitive.” The attacker was able to enumerate these and leverage them to gain additional access. The company noted that the speed of the attacker’s actions and their understanding of Vercel’s architecture were beyond expectations.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: A custom sAVAX Aave Rebalancer contract on Avalanche was exploited. The public function b2a13230() allowed the caller to pass arbitrary target and data, executing target.call(data) while the contract still held the user’s Aave V3 Credit Delegation (borrowing permission). The attacker used this to call Aave’s borrow() on behalf of the victim and drain WAVAX. A whitehat bot frontran the transaction and recovered all funds before any withdrawal, resulting in zero net loss to the user.
Amount of loss: $ 64,000 Attack method: Smart Contract Vulnerability
Description of the event: LayerZero issued a statement saying that on April 18, Kelp DAO suffered an attack resulting in approximately $290 million in losses. The incident is initially assessed to have been carried out by a highly sophisticated nation-state actor, suspected to be the TraderTraitor subgroup of North Korea’s Lazarus Group. The attack was completely isolated to Kelp DAO’s rsETH configuration and was caused by its use of a single DVN (Decentralized Verifier Network) setup. The LayerZero protocol itself was not exploited, and no other cross-chain assets or applications were affected. The core of the attack involved the hacker compromising downstream RPC infrastructure used by LayerZero’s DVN. The attacker obtained the RPC node list used by the DVN, then infiltrated two independent RPC nodes. They replaced the op-geth binary and used a custom payload to forge messages. This setup allowed the attacker to display false data only to the DVN, while showing correct data to other observers, including LayerZero Scan. The attacker then launched a DDoS attack against the uncompromised RPC nodes, forcing a failover to the poisoned RPC nodes. As a result, the DVN accepted the falsified messages, enabling the attack to succeed. After the attack was completed, the attacker removed the malicious binaries, logs, and configuration files. LayerZero has since decommissioned all affected RPC nodes, replaced them, and confirmed that the DVN has returned to normal operation.
Amount of loss: $ 293,000,000 Attack method: Supply Chain Attack
Description of the event: Vitalik Buterin stated on X that the DNS registrar for eth.limo has been attacked. He advised users to temporarily avoid accessing vitalik.eth.limo or any other eth.limo-related pages until official confirmation is given that the issue has been resolved and services are back to normal.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: According to CertiK, a security incident occurred in the NEAR ecosystem DeFi protocol Rhea Finance. The attacker created multiple fake token contracts and added liquidity to newly created pools, allegedly misleading the protocol’s oracle and validation layers, thereby extracting at least approximately $7.6 million in assets from the related pools. On April 18, Rhea Finance released an update regarding its security incident, stating that its lending market suffered an unauthorized attack on April 16, specifically targeting its leveraged trading functionality. The attacker exploited a potential vulnerability in the slippage protection mechanism, stealing approximately $18.4 million in assets from the protocol’s reserve pool. This resulted in actual losses within the protocol, affecting both reserve balances and participating users. The attacker has since returned approximately 3.359 million USDC and 1.564 million NEAR to the RHEA lending contract. In addition, 4.34 million USDT has been frozen—of which 3.291 million USDT was frozen by Tether in the attacker’s wallet, and 1.053 million USDT was frozen within NEAR Intent. Meanwhile, to ensure fund safety, the lending contract has been suspended, and recovery efforts are still ongoing. The team is actively attempting to contact the attacker in order to recover the remaining affected assets. Furthermore, the team has formally initiated tracking procedures with centralized exchanges to identify the account holder.
Amount of loss: $ 18,400,000 Attack method: Slippage Protection Logic Flaw
Description of the event: According to The Block, Grinex, an exchange registered in Kyrgyzstan with ties to the Russian crypto market, has suspended withdrawals and trading following a large-scale cyberattack. A statement on the exchange’s website said that more than 1 billion rubles (approximately $13.1 million) were stolen, describing the attack as a “coordinated operation aimed at undermining Russia’s financial sovereignty,” requiring resources and capabilities exclusive to “hostile states” to carry out. Blockchain analytics firm Elliptic stated that the suspected attacker stole approximately $15 million worth of USDT from wallets associated with Grinex. The funds were then routed through the TRON and Ethereum networks and converted into TRX and ETH, likely in an attempt to reduce the risk of being frozen by Tether. Grinex is considered the successor to the previously sanctioned Garantex exchange. After Garantex shut down, Grinex absorbed its liquidity and users and has since become a major venue for ruble-to-crypto trading.
Amount of loss: $ 15,000,000 Attack method: Hot Wallet Infrastructure Breach
Description of the event: On April 16, 2026, Rhea Finance (formerly Burrow Finance) was exploited. The attacker spent two days preparing with 423 wallets, deploying fake token contracts, and creating manipulated liquidity pools on Ref Finance to build fake swap routes. They then exploited a logic flaw in Rhea Lend’s margin trading slippage protection (which incorrectly summed min_amount_out without accounting for reused intermediate tokens in multi-step swaps), allowing them to borrow real assets, trigger forced liquidations, and drain the reserve pool. Initial estimates were ~$7.6M, later revised to $18.4M total drained. The attack primarily affected the Rhea Lend contract (Rhea DEX was paused precautionarily). The team paused contracts, collaborated with Tether to freeze assets, and the attacker returned portions of funds. The protocol committed to covering any remaining shortfall, ensuring user funds were protected.
Amount of loss: $ 18,400,000 Attack method: Smart Contract Vulnerability
Description of the event: LootBot AI’s xLoot NFT Staking contract was exploited via a Logic Error (Duplicate NFT ID in Redemption). The redeem() function did not validate duplicate token IDs in the input array. The _redeemable() logic accumulated ETH rewards per epoch for each ID without checking for duplicates, and the nextRedeem mapping was only updated after payout. The attacker flash-loaned 2.1 ETH, triggered a new epoch, called redeem() with 7 NFT IDs each duplicated 155 times, draining ~6.21 ETH. After repaying the flash loan, net profit was ~4.1 ETH ($9,600). The project appears largely abandoned (last official X activity in 2025).
Amount of loss: $ 9,600 Attack method: Smart Contract Vulnerability
Description of the event: Blockchain security firm Blockaid reported that its system has detected a front-end attack on the decentralized exchange CoW Swap, and that cow.fi has been flagged as a malicious site. Blockaid warned that users who have previously connected their wallets to CoW Swap should immediately revoke any related contract approvals via their wallets or security tools, and refrain from interacting with cow.fi until the issue is resolved to prevent potential asset loss. Subsequently, CoW DAO issued a statement confirming that the CoW Swap front end (swap.cow.fi) is currently experiencing issues. The team is actively investigating and advised users to temporarily avoid using the platform for trading. On April 16, it was reported that CoW Swap announced on X (formerly Twitter) that it has regained control of the cow.fi domain and has been operating normally on cow.finance for some time. The platform is now gradually transitioning back to its original domain.
Amount of loss: $ 1,200,000 Attack method: Supply-chain attack
Description of the event: Based on monitoring by CertiK Alert, the Hyperbridge gateway contract fell victim to an exploit. The attacker utilized forged messages to manipulate administrative permissions of the Polkadot token contract on the Ethereum network. By unauthorized minting and liquidating 1 billion tokens, the attacker realized a profit of roughly $237,000. On April 16, it was reported that according to an official announcement from Hyperbridge, its token gateway was attacked on April 13. The estimated losses have been revised from approximately $237,000 to about $2.5 million, mainly affecting incentive liquidity pools on Ethereum, Base, BNB Chain, and Arbitrum.
Amount of loss: $ 2,500,000 Attack method: Smart Contract Vulnerability
Description of the event: The DeFi project Dango released an update three hours after disclosing a security incident last night, stating that the white-hat hacker has fully returned the stolen funds and received a bug bounty. User funds were not affected. The founder of Dango said that fixes will be deployed, additional security measures will be implemented, and preparations are underway to restart the blockchain. According to the earlier announcement, the attacker exploited a logic flaw in the insurance fund to steal USDC collateral. The vulnerability arose because the insurance fund allowed anyone to make donations but failed to verify that the donation amount was positive. Thanks to rate limits on the cross-chain bridge, the attacker was only able to bridge $410,000 worth of USDC to Ethereum, while the remaining $1.49 million stayed on Dango and was successfully recovered. The vulnerability has now been fixed and does not affect other trading system functions such as order matching, PnL settlement, or liquidation.
Amount of loss: $ 1,900,000 Attack method: Insurance Fund Logic Vulnerability
Description of the event: On April 14, 2026, attackers exploited the BurnAddress mechanism in the MONA token on BSC via a Deferred LP Burn / reserve manipulation attack. The attacker first farmed 10,000 MONA through 25 fresh accounts, sold 9,900 MONA to create a deferred burn credit, bought out most of the pool's MONA inventory, then triggered BurnAddress.burn() with a zero-value transferFrom to burn MONA directly from the LP and call sync(). This left the MONA/USDT pair with near-zero MONA but almost full USDT reserves. Finally, selling the remaining ~100 MONA drained a large amount of USDT. Flash loans from Moolah and borrowing from Venus were used for funding and fully repaid in the same transaction. The root cause was non-atomic handling in _handleSell() and burnsellMona(): USDT payout happened immediately while MONA burn was deferred and could be triggered later, breaking the AMM invariant.
Amount of loss: $ 60,950 Attack method: Reserve Manipulation Attack
Description of the event: Attackers exploited a vulnerability in SubQuery Network’s Settings contract on the Base network (the setContractAddress() function missing the onlyOwner access control modifier). By repeatedly calling this function, the attacker set their address as StakingManager and RewardsDistributor, enabling drainage of pooled SQT from the Staking contract, impacting 272 individual staker/delegator wallets, RewardsBooster, and a small protocol Treasury. Approximately 382,433,441 SQT were drained (worth about $134,000 USD at the time). The team quickly responded by deploying a fix, pausing withdrawals, and committing to full compensation for all affected users. No user private keys were compromised. The root cause was a missing access control from a prior code refactor.
Amount of loss: $ 134,000 Attack method: Smart Contract Vulnerability
Description of the event: An employee device at Zerion was compromised through an AI-driven social engineering attack, allegedly linked to a DPRK-associated advanced persistent threat (APT) group. The attacker successfully obtained the employee’s logged-in sessions, account credentials, and private keys to company hot wallets used for internal testing and operations, and subsequently transferred approximately $100,000 from multiple internal hot wallets. No user funds were affected in this incident, and Zerion’s products, mobile applications, and backend infrastructure were not compromised. The attack was limited to an employee device and internal company hot wallet systems. Following the incident, the team proactively took down the web application and carried out full credential rotation, device security reviews, and infrastructure hardening measures to prevent further risk exposure.
Amount of loss: $ 100,000 Attack method: AI-enabled Social Engineering Attack
Description of the event: Aethir's cross-chain bridge contracts (primarily AethirOFTAdapter and Ethereum-related bridging contracts) were targeted in an exploit. The attacker attempted to drain funds by exploiting access control or ownership transfer vulnerabilities (e.g., transferOwnership issues), involving chains like BNB Chain. The Aethir team quickly detected the anomaly, promptly disconnected the compromised contracts, and collaborated with major exchanges (Binance, Upbit, Bithumb, etc.) to blacklist attacker wallets, effectively containing further damage. The main ATH token supply on Ethereum remained intact, and other bridges like ETH-ARB on Squid were unaffected. Initial estimates put potential losses around $400,000, but user impact was limited to under $90,000. The project promised a full compensation plan.
Amount of loss: $ 90,000 Attack method: Smart Contract Vulnerability
Description of the event: A user mistakenly approved the SquidMulticall contract (instead of the intended Squid Router contract) with unlimited token allowances. An attacker then called the permissionless run() function on SquidMulticall with crafted calldata to execute transferFrom() from the victim’s approved tokens across multiple chains (ETH, BSC, Arbitrum, Avalanche, etc.). This drained approximately $517K.
Amount of loss: $ 517,000 Attack method: Approval Exploit
Description of the event: Computility-associated TGAI project on BSC suffered a reserve manipulation attack on PancakeSwap V2 liquidity pool. The hacker used a ~$2.4M USDT flash loan, deployed multiple helper contracts to buy TGAI, manipulated reserves via sync() function with ~17.5K USDT injection, then swapped to extract profits, resulting in approximately $11.94K loss.
Amount of loss: $ 11,940 Attack method: Reserve Manipulation Attack
Description of the event: Decentralized perpetual futures trading platform Denaria announced on X that it suffered a smart contract attack yesterday, resulting in a loss of approximately $165,000. The team is currently working with Linea and auditing partners to investigate the incident and will release a full post-mortem report as soon as possible.
Amount of loss: $ 165,000 Attack method: Smart Contract Vulnerability